Re: Are We Being Paranoid?

Originally Posted by CharlesA

Good read. The sad part is it is true - convenience vs security wins in the end.

I think this is called the "Dancing Pigs Effect". Security should focus more on educating people for common sense rather than constantly hunting for 0days (not the people shouldn't try to patch vulnerabilities). Simply disabling browser scripts does a hell of a lot more than running antivirus.

Re: Are We Being Paranoid?

This thread is becoming a bit of an eye opener for me in some ways as I thought my security practises were quite solid but I wasn't aware you could find maleware on sites that you think might be safe.

Your other point as well has got me thinking in that I've no idea what being hacked looks like unless it's obvious. I just assumed being hacked would mean that your finances might be in jeoparday. I imagine a lot of people think that.

The thing is - most people would trust a reputable site and "let their guard down" which makes it the perfect vector of attack.

Re: Are We Being Paranoid?

Originally Posted by CharlesA

The thing is - most people would trust a reputable site and "let their guard down" which makes it the perfect vector of attack.

That's exactly what exploit packs take advantage of. If a hacker buys an exploit pack and hacks a "reputable" site, he can put the exploit pack in that site and anyone who visits it has the potential to be infected. Theoretically this could even happen to Ubuntu Forums, but because this site has good security, and because many people who visit this forum are using a computer with GNU/Linux, it would be a very poor attack vector. But many innocent sites (especially blogs) can become zombies spreading malware. So don't trust anything 100%, even if you know the owner of the site would never put up malware!

Re: Are We Being Paranoid?

Originally Posted by Stonecold1995

I think this is called the "Dancing Pigs Effect". Security should focus more on educating people for common sense rather than constantly hunting for 0days (not the people shouldn't try to patch vulnerabilities). Simply disabling browser scripts does a hell of a lot more than running antivirus.

Are you being serious?

I am always being serious apart from when I'm not !

Feel Free to Bitcoin Tip: 135Rp4pwwYTHEJ4u8bxKaDQiC91N9LUoV2

Backtrack - Giving machine guns to monkeys since 2006Kali-Linux - Adding a grenade launcher to the machine guns since 2013

Re: Are We Being Paranoid?

Originally Posted by Stonecold1995

That's exactly what exploit packs take advantage of. If a hacker buys an exploit pack and hacks a "reputable" site, he can put the exploit pack in that site and anyone who visits it has the potential to be infected. Theoretically this could even happen to Ubuntu Forums, but because this site has good security, and because many people who visit this forum are using a computer with GNU/Linux, it would be a very poor attack vector. But many innocent sites (especially blogs) can become zombies spreading malware. So don't trust anything 100%, even if you know the owner of the site would never put up malware!

It's not just legit/reputable sites being compromised directly. What I see most often when I'm actively monitoring are malicious ads. Sure, there are many, many small and large sites with out of date web applications, db flaws, server software, things like that, and they do frequently get compromised. But from an ROI standpoint, nothing beats getting a malicious ad onto a widely-used legitimate platform, and it happens to the biggest ones all the time. Individually they may be relatively short-lived, but during their lifetimes they could compromise every visitor to every site that the ad platform has cycled that advertisement onto, no additional clicks necessary. And nothing the site owners can do except report the ads and hope they are removed, or stop running that ad platform.

Re: Are We Being Paranoid?

Originally Posted by OpSecShellshock

It's not just legit/reputable sites being compromised directly. What I see most often when I'm actively monitoring are malicious ads. Sure, there are many, many small and large sites with out of date web applications, db flaws, server software, things like that, and they do frequently get compromised. But from an ROI standpoint, nothing beats getting a malicious ad onto a widely-used legitimate platform, and it happens to the biggest ones all the time. Individually they may be relatively short-lived, but during their lifetimes they could compromise every visitor to every site that the ad platform has cycled that advertisement onto, no additional clicks necessary. And nothing the site owners can do except report the ads and hope they are removed, or stop running that ad platform.

I always advise users to block ads.

Agreed. I remember a (semi) popular forum that got tagged as malicious because of their ads. I know this is a popular method because it bypasses the main site completely and puts the blame on the company serving the ads.

Re: Are We Being Paranoid?

Originally Posted by OpSecShellshock

It's not just legit/reputable sites being compromised directly. What I see most often when I'm actively monitoring are malicious ads. Sure, there are many, many small and large sites with out of date web applications, db flaws, server software, things like that, and they do frequently get compromised. But from an ROI standpoint, nothing beats getting a malicious ad onto a widely-used legitimate platform, and it happens to the biggest ones all the time. Individually they may be relatively short-lived, but during their lifetimes they could compromise every visitor to every site that the ad platform has cycled that advertisement onto, no additional clicks necessary. And nothing the site owners can do except report the ads and hope they are removed, or stop running that ad platform.

I always advise users to block ads.

Right, but those ads are often "legit", but were compromised at some stage, aren't they? I seem to remember reading somewhere that more malicious ads are malicious because the were compromised than malicious to start out.

And I always block ads, but not because of malware but because they are annoying as hell! I just disable JavaScript, Java, and Flash in Chromium (I'm still waiting for Chrome's extensions API to be improved so that the NoScript developer can port it to Chrome) to protect from malicious scripts.

Re: Are We Being Paranoid?

Originally Posted by Stonecold1995

Right, but those ads are often "legit", but were compromised at some stage, aren't they? I seem to remember reading somewhere that more malicious ads are malicious because the were compromised than malicious to start out.

And I always block ads, but not because of malware but because they are annoying as hell! I just disable JavaScript, Java, and Flash in Chromium (I'm still waiting for Chrome's extensions API to be improved so that the NoScript developer can port it to Chrome) to protect from malicious scripts.

I don't think legitimate ads themselves get compromised so much as fraudulent "companies" place ads with platform providers, sometimes going as far as to submit one advertisement for review that is harmless and switching to the malicious ad later. There's just not a very robust review process at a lot of platforms, and I wouldn't be surprised to find that submission is automated.

Re: Are We Being Paranoid?

A reputable website. Hacked. End-user data (and perhaps worse) released. A few hours later, the fix was made, but some fairly high-traffic blogs like CNET and Verge were defaced. What happened beyond that is unknown.